WordPress Release: 4.8.2

TL;DR

WordPress 4.8.2 is a security and maintenance release that addresses several important security vulnerabilities and fixes bugs in the Text widget, Emoji handling, and database preparation functions. This release includes critical security hardening for URL handling, file system operations, and database queries, making it an essential update for all WordPress sites.

Highlight of the Release

• Critical security hardening for URL handling, file system operations, and database queries
• Fixed Text widget issues with HTML encoding and PHP warnings
• Updated Twemoji to version 2.5.0 to fix Safari rendering issues
• Improved handling of locales with numbers during installation
• Enhanced shortcode previews in the TinyMCE editor

Migration Guide

No specific migration steps are required for this security and maintenance release. However, developers should note the following changes:

For Plugin and Theme Developers

• Database Query Changes: The wpdb::prepare() function now strictly enforces its documented behavior:

  • Only supports %s, %d, and %F as placeholders
  • Non-escaped percentage signs will be automatically escaped
  • When passing arrays of values, additional values beyond the required placeholders will be ignored
  • While null values are not officially supported, they won't trigger _doing_it_wrong() notices for backward compatibility

• Text Widget Processing: If you've built custom functionality around the Text widget, note that HTML handling has been updated to prevent double-encoding issues and PHP warnings from DOMDocument::loadHTML()

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains critical security fixes that protect your WordPress site from potential vulnerabilities. All WordPress site owners should upgrade to version 4.8.2 immediately.

The security hardening in this release addresses several important areas including database query preparation, URL handling, and file system operations. These changes help protect your site from SQL injection, XSS attacks, and path traversal vulnerabilities.

As with any WordPress update, it's recommended to:

1. Back up your website before updating
2. Test the update on a staging environment if possible
3. Update all sites as soon as possible

This is a maintenance release that should not cause compatibility issues with most plugins and themes.

Bug Fixes

Text Widget Improvements

• Fixed issue where the visual Text widget was decoding already encoded HTML
• Suppressed PHP warnings raised by DOMDocument::loadHTML() in Text widget forms
• Added explicit HTML5 doctype when parsing Text widget contents in legacy mode detection
• Applied the_editor_content filters on widget text with format_for_editor()

Emoji Rendering

• Updated Twemoji to version 2.5.0 to fix rendering issues in Safari
• Fixed JavaScript testing for UN flag support which was incorrectly returning inverted results

Admin Interface

• Added proper URL-encoding and extra hardening to plugin and template names in the admin area
• Provided a fallback for incorrect HTTP referrers in Taxonomy and Users screens
• Ensured valid themes are used in the Customizer preview
• Used correct escaping function for URLs in Taxonomy/Users screens

Editor

• Improved shortcode previews in TinyMCE

New Features

Enhanced Security Measures

• URL Validation: Added prevention of javascript: and data: URLs in the inline link dialog to block potential XSS attacks
• Improved Sandboxing: Enhanced oEmbed HTML sandboxing for better security of embedded content
• File Path Validation: Added validation of filenames before unzipping to prevent path traversal attacks

Improved Compatibility

• PHPUnit Updates: Updated to the latest versions in the 4.x and 6.x branches of PHPUnit for testing
• Locale Support: Enhanced support for locales with numbers (like pt_PT_ao90) during installation

Security Updates

Critical Security Hardening

• Database Query Protection: Multiple improvements to wpdb::prepare() to prevent SQL injection:

  • Ensured additional values passed in arrays are properly ignored
  • Aligned behavior with documentation by properly escaping non-placeholder percentage signs
  • Maintained backward compatibility by not triggering errors for null values

• URL Handling:

  • Prevented adding potentially malicious javascript: and data: URLs through the inline link dialog
  • Improved URL encoding for plugin and template names in admin displays

• File System Security:

  • Added validation of filenames before unzipping to prevent path traversal attacks
  • Enhanced protection against malformed file paths

• Content Embedding:

  • Added extra hardening around allowed HTML in oEmbed for improved sandboxing

• Admin Interface:

  • Provided fallback for incorrect HTTP referrers in Taxonomy and Users screens
  • Ensured valid themes in the Customizer preview

Performance Improvements

No specific performance improvements were highlighted in this maintenance release. The focus was primarily on security hardening and bug fixes.

Impact Summary

WordPress 4.8.2 is primarily a security-focused release that addresses several critical vulnerabilities while also fixing bugs that affected the user experience.

The most significant impact comes from the security hardening measures implemented in database query preparation, URL handling, and file system operations. These changes protect WordPress sites from potential SQL injection, XSS attacks, and path traversal vulnerabilities.

For content creators, the fixes to the Text widget resolve issues with HTML encoding and PHP warnings that could affect content display. The update to Twemoji 2.5.0 ensures proper emoji rendering in Safari browsers, which previously had display issues.

Developers should be aware of the changes to wpdb::prepare() behavior, which now more strictly enforces its documented functionality while maintaining backward compatibility for existing code.

Overall, this release significantly improves the security posture of WordPress sites without introducing breaking changes, making it an essential update for all WordPress installations.